Nonce support for the Insent Javascript

Insent enables customers to introduce a Nonce value into the JavaScript snippet to allow the execution of Insent within a Content Security Policy (CSP). This requires the setup of a nonce-aware version of the Insent Javascript.

The Content Security Policy is a well-supported web security standard introduced to prevent certain types of injection-based attacks by giving developers control over resources loaded by applications. 

Note

If you are deploying Insent Javascript on your webpage through a self-hosted version via APIs, please use the nonce-aware version of Insent Javascript.

Insent Javascript nonce-aware implementation (Sample Script)

To use Insent on a page with a Content Security Policy, the CSP must allow for the execution of the Insent Javascript snippet, which is an inline JavaScript snippet that injects the chat iframe.

Add the nonce value in the inline <script> tag by inserting a cryptographically secure random nonce in the script tag:

<script nonce="RandomNonceValue" id="insent-script"> // Pass Nonce value to Insent JS Header  
//insentLoadLazy = true; // optional parameter to hide widget until setVisitor is called.
insentCompanyDomain = 'company.com'; // Pass company domain  
insentProjectName = 'company' // Pass project name
insentProjectKey = 'ProjectKey' // Pass project key  
var t = window.insent || {}; t.queue = [];   
(t.SCRIPT_VERSION = '0.1.2'),  
(t.methods = ['widget', 'listener', 'setVisitor']),   
(t.factory = function (e) { return function () { 
    var n = Array.prototype.slice.call(arguments); return n.unshift(e), t.queue.push(n), t;
};}),   
t.methods.forEach(function (e) { t[e] = t.factory(e); }); 
insent = t;   
var s = document.createElement('script');   
s.setAttribute('nonce', 'RandomNonceValue'); // set the nonce value   
(s.type = 'text/javascript'), (s.charset = 'utf-8'), (s.defer = !0),   
(s.src = 'https://company.widget.insent.ai/insent'),   
window.addEventListener('load', function (n) {   document.body.appendChild(s);   });
</script>

Insent will then propagate the nonce to any scripts that it adds to the page. 

There are other approaches to enabling the execution of an inline script, such as supplying the hash of the inline script in the CSP. Please consult CSP documentation for more details.

Note

Please ensure the correct values are provided for insentCompanyDomain, insentProjectName, etc. Please refer to the Integrations → Script section to allocate the right values for these variables.

Now you are ready to go ahead and get started with Insent. Please refer to our Getting started - Admin to set up your first conversation and get started. 

Nonce Browser Support

  • Nonce support exists for Chrome, Firefox, Safari 10+ or Edge 15+.
  • Nonces are not supported in Internet Explorer.

You are always welcome to contact our Customer Success team at success@insent.ai or reach out to us through the Insent widget for any further clarifications or questions!

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us